HQ/EMEAFind out how we can help your business
New phishing attempts targeting users in Europe and Latin America have brought the Grandoreiro banking malware back to being an active threat.
The malware, which has been active since at least 2016, originally operated in Brazil before expanding its reach to Mexico, Portugal, and Spain. Recent findings show that Grandoreiro is once again being used to steal financial credentials, posing a significant threat to banking customers.
Grandoreiro is believed to operate under a malware-as-a-service model, allowing cybercriminals to rent access to the trojan.
This banking trojan is linked to the Tetrade group and has managed to survive multiple law enforcement takedown attempts in 2021 and 2024 despite the arrest of several of its operators. In early 2024, it was observed targeting over 1,500 banking applications and websites across more than 60 countries, impersonating government entities from Argentina, Mexico, and South Africa. By the end of the year, its reach had expanded to 1,700 banks and 276 cryptocurrency wallets, with Asia added to its list of targets, turning it into a global financial threat.
The latest phishing campaigns involve cybercriminals impersonating tax agencies in Argentina, Mexico, and Spain to trick victims into revealing their financial details. Attackers are using malicious links hosted on Contabo to distribute the trojan. Once a victim clicks on the link, they are served an obfuscated Visual Basic script along with a disguised Delphi-based executable designed to steal banking credentials. Cybercriminals are encrypting or password-securing the compressed files to avoid detection.
The phishing emails behind these attacks rely on cloud infrastructure from OVHcloud and are crafted to appear as tax penalty notifications. Victims are tricked into downloading a supposed PDF document, which instead fetches a malware payload from the file-sharing platform Mediafire. Once executed, Grandoreiro steals stored credentials, searches for Bitcoin wallet directories, and connects to a command-and-control server. Attackers frequently rotate subdomains under contaboserver[.]net to evade security defences and prolong their activities.
Cybersecurity experts warn that Grandoreiro remains a persistent and evolving threat.
Users must be cautious when receiving unexpected emails, especially those requesting urgent financial actions. Using strong cybersecurity measures, such as up-to-date antivirus software and email filtering tools, can help prevent infections and safeguard personal and financial information.
